-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authorization flow broken #63
Comments
Looking...thanks! |
…out when dealing with an authorization response with no provided realm.
OK, after looking, you can implement what you call 'short term' solution as a ResponseFilter. For the long-term solution, any contribution is welcomed! I will keep the issue opened and will see what can be done for 1.8.0. |
NettyAsyncHttpProvider does not support authorization customization (I need to implement HTTP-MAC). Every time 401 response returned, Netty takes the control and replays the request with invalid credential. As previous version, Netty supported this kind of customization. Why did you guys remove this feature? The fix is just trival :
|
Looks like the Considering as fixed, please notify otherwise. |
For most use cases, especially when connecting to any api's, the current flow for authentication is unusable.
Netty and Grizzly adapters do not provide a way to get at the www-authenticate header or otherwise cache auth credentials. That's pretty much a requirement for any high volume traffic using auth.
If you do not have a realm set, netty will create one for you and use it. This makes no sense as its' guaranteed to fail.
In grizzly, if you do not have a realm set, grizzly will just abort. This is also bad because now you have to wait for the future to timeout. In most cases you want to immediately re-send the request with the authorization header, not wait on a timeout.
The correct long term solution IMO is as follows:
If the user doesn't set a realm, don't do anything additional for 401's.
Have a flag to cache the authorization, and an optional expiration on the cache.
A short term solution is to be able to disable 401 handling by the client. That way it's possible to still use AHC while it's auth support is being fixed.
The text was updated successfully, but these errors were encountered: